Hi
I haven't worked on Mikrotik for a very long time but I replaced my Asus home router to learn more about Mikrotik again.
i am using the RB3011 and done the basic configuration so the internet works.
i have a bridge that covers port 2-5 on port 6 I have my server but have not added it to the bridge yet.
My network is 11.10.10.0/24 and my server is on 11.10.10.50
My server runs 4 websites and mail server, I have also running a local DNS on it for internal network. The Asus had just a DMZ option that sat all ports open to the server so I am running a firewall on it.
How can I set up this web and mail server behind my mikrotik network, I have looked at hairpin nat but I think can solve it better since I run a DNS.
Any step by step guide would be nice. I just want to learn
Best regards
Møller
Re: Setting up web and mail server
IF you put the server on its own subnet, then you wont need hairpin nat.
The issue is people behind the router on the same lan subnet as the server will NOT be able to reach the server by WANIP address, IF that is how you intended lan users to reach your servers.
Normal lan to lan traffic can always pass.
The issue is people behind the router on the same lan subnet as the server will NOT be able to reach the server by WANIP address, IF that is how you intended lan users to reach your servers.
Normal lan to lan traffic can always pass.
Last edited by anav on Tue Apr 20, 2021 6:33 pm, edited 1 time in total.
Re: Setting up web and mail server
Well they dont have to really, but is there away to set the rdp port open so I can access it?IF you put the server on its own subnet, then you wont need hairpin nat.
The issue is people behind the router on the same lan subnet as the server will NOT be able to reach the server my WANIP address, IF that is how you intended lan users to reach your servers.
Normal lan to lan traffic can always pass.
i made this changes now to what you suggest if i am correct. If its correct what rule do i apply to port 6 for this to work?
Code: Select all
add name=local
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool0 ranges=11.10.8.1-11.10.10.0,11.10.10.2-11.10.11.254
add name=dhcp ranges=11.10.8.1-11.10.10.0
add name=dhcp_pool2 ranges=11.10.10.2-11.10.10.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=local name=dhcp1
add address-pool=dhcp_pool2 disabled=no interface=ether6 name=dhcp2
/interface bridge port
add bridge=local interface=ether2
add bridge=local interface=ether3
add bridge=local interface=ether4
add bridge=local interface=ether5
/interface list member
add interface=ether1 list=WAN
add interface=local list=LAN
/ip address
add address=11.10.10.1/22 interface=local network=11.10.8.0
add address=11.10.10.1/24 interface=ether6 network=11.10.10.0
/ip dhcp-client
add disabled=no interface=ether1
/ip dhcp-server network
add address=11.10.8.0/22 dns-server=1.1.1.1 gateway=11.10.10.1
add address=11.10.10.0/24 dns-server=1.1.1.1 gateway=11.10.10.1
/ip firewall filter
add action=fasttrack-connection chain=forward connection-state=\
established,related hw-offload=yes
add action=accept chain=forward connection-state=established,related
add action=accept chain=input comment="accept established,related" \
connection-state=established,related
add action=drop chain=input connection-state=invalid
add action=accept chain=input comment="allow ICMP" in-interface=ether1 \
protocol=icmp
add action=accept chain=input comment="allow Winbox" in-interface=ether1 \
port=8291 protocol=tcp
add action=accept chain=input comment="allow SSH" in-interface=ether1 port=22 \
protocol=tcp
add action=drop chain=input comment="block everything else" in-interface=\
ether1
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1Re: Setting up web and mail server
Hi there,
(1) Add ethernet6 to the LAN membership
/interface list member
add interface=ether1 list=WAN
add interface=local list=LAN
ad interface=ether6 list=LAN
(2) Your IP pools are screwed up LOL
From
/ip pool
add name=dhcp_pool0 ranges=11.10.8.1-11.10.10.0,11.10.10.2-11.10.11.254
add name=dhcp ranges=11.10.8.1-11.10.10.0
add name=dhcp_pool2 ranges=11.10.10.2-11.10.10.254
TO
/ip pool
add name=dhcp ranges=11.10.8.2-11.10.8.254
add name=dhcp_pool2 ranges=11.10.10.2-11.10.10.254
(3) Fix server
From
/ip dhcp-server network
add address=11.10.8.0/22 dns-server=1.1.1.1 gateway=11.10.10.1
TO
add address=11.10.8.0/24 dns-server=1.1.1.1 gateway=11.10.8.1
(4) Masquerade rule......
a. IF you have a dynamic WANIP the standard is slightly different.
/ip firewall nat
From
add action=masquerade chain=srcnat out-interface=ether1
TO
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
b. If the wanip is static/fixed the best format is
add action-src-nat chain=src-nat out-interface-list=WAN to-addresses=fixed-IP address
Finally we get to the problematic area, people frigging with the default rules when they really shouldnt until they know more.
THIS IS A BIG RED FLAG...
You have made your router vulnerable on the internet..... and is a big NO NO>
Disconnect your router from the internet until fixed up.
Please use the following default rules.
.....
THEN we can migrate you from a SAFE initial start, to a better targetted SAFE setup, if you understand what the rules above are doing and the rules below are doing.
(1) Add ethernet6 to the LAN membership
/interface list member
add interface=ether1 list=WAN
add interface=local list=LAN
ad interface=ether6 list=LAN
(2) Your IP pools are screwed up LOL
From
/ip pool
add name=dhcp_pool0 ranges=11.10.8.1-11.10.10.0,11.10.10.2-11.10.11.254
add name=dhcp ranges=11.10.8.1-11.10.10.0
add name=dhcp_pool2 ranges=11.10.10.2-11.10.10.254
TO
/ip pool
add name=dhcp ranges=11.10.8.2-11.10.8.254
add name=dhcp_pool2 ranges=11.10.10.2-11.10.10.254
(3) Fix server
From
/ip dhcp-server network
add address=11.10.8.0/22 dns-server=1.1.1.1 gateway=11.10.10.1
TO
add address=11.10.8.0/24 dns-server=1.1.1.1 gateway=11.10.8.1
(4) Masquerade rule......
a. IF you have a dynamic WANIP the standard is slightly different.
/ip firewall nat
From
add action=masquerade chain=srcnat out-interface=ether1
TO
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
b. If the wanip is static/fixed the best format is
add action-src-nat chain=src-nat out-interface-list=WAN to-addresses=fixed-IP address
Finally we get to the problematic area, people frigging with the default rules when they really shouldnt until they know more.
THIS IS A BIG RED FLAG...
You have made your router vulnerable on the internet..... and is a big NO NO>
Disconnect your router from the internet until fixed up.
Please use the following default rules.
Code: Select all
/ip firewall filter
{input chain}
add action=accept chain=input comment="accept established,related untracked" \
connection-state=established,related,untracked
add action=drop chain=input connection-state=invalid
add action=accept chain=input comment="allow ICMP" in-interface=ether1 \
protocol=icmp
add add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
{forward chain}
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
THEN we can migrate you from a SAFE initial start, to a better targetted SAFE setup, if you understand what the rules above are doing and the rules below are doing.
Code: Select all
/ip firewall filter
add action=accept chain=input comment="Allow Estab-Relat-untrck" \
connection-state=established,related,untracked
add action=drop chain=input comment=Drop
add action=accept chain=input protocol=icmp
add action=accept chain=input comment="Authorized_Access" in-interface-list=LAN \
source-address-list=adminaccess
add action=accept chain=input comment="Allow LAN DNS queries - TCP" \
connection-state=new dst-port=53 in-interface-list=VLAN protocol=tcp
add action=accept chain=input comment="Allow LAN DNS queries-UDP" \
connection-state=new dst-port=53 in-interface-list=VLAN protocol=udp
add action=drop chain=input comment="Drop All Else"
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment="Allow Estab & Related" \
connection-state=established,related
add action=accept chain=forward comment="LAN Internet Access" \
connection-state=new in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="Allow port forwarding" \ {disable if not in use}
connection-nat-state=dstnat connection-state=new in-interface-list=WAN
add action=drop chain=forward comment="drop all else"
Note: To create the firewall address list, in the input chain (fourth rule) called [b]'adminaccess'.[/b] Assuming you have statically assigned IP addresses, and looks like:
/ip firewall address-list
add address=IPaddress of your desktop list=adminaccess
add address=IPaddress of your laptop list=adminaccess
add address=IPaddress of your ipad/tablet list=adminaccess
add address=IPaddress of your smartphones list=adminaccess
Re: Setting up web and mail server
Hi
Thank you for taking the time for replay,i will try your suggestion tomorrow :) And I haven't set the 3011 in the network yet, I want to try making it secure and good working condition before I switch it out.
Thank you again for trying to teach and old fool :)
Møller
Thank you for taking the time for replay,i will try your suggestion tomorrow :) And I haven't set the 3011 in the network yet, I want to try making it secure and good working condition before I switch it out.
Thank you again for trying to teach and old fool :)
Møller
Well they dont have to really, but is there away to set the rdp port open so I can access it?IF you put the server on its own subnet, then you wont need hairpin nat.
The issue is people behind the router on the same lan subnet as the server will NOT be able to reach the server my WANIP address, IF that is how you intended lan users to reach your servers.
Normal lan to lan traffic can always pass.
i made this changes now to what you suggest if i am correct. If its correct what rule do i apply to port 6 for this to work?
Code: Select alladd name=local /interface list add name=WAN add name=LAN /interface wireless security-profiles set [ find default=yes ] supplicant-identity=MikroTik /ip pool add name=dhcp_pool0 ranges=11.10.8.1-11.10.10.0,11.10.10.2-11.10.11.254 add name=dhcp ranges=11.10.8.1-11.10.10.0 add name=dhcp_pool2 ranges=11.10.10.2-11.10.10.254 /ip dhcp-server add address-pool=dhcp disabled=no interface=local name=dhcp1 add address-pool=dhcp_pool2 disabled=no interface=ether6 name=dhcp2 /interface bridge port add bridge=local interface=ether2 add bridge=local interface=ether3 add bridge=local interface=ether4 add bridge=local interface=ether5 /interface list member add interface=ether1 list=WAN add interface=local list=LAN /ip address add address=11.10.10.1/22 interface=local network=11.10.8.0 add address=11.10.10.1/24 interface=ether6 network=11.10.10.0 /ip dhcp-client add disabled=no interface=ether1 /ip dhcp-server network add address=11.10.8.0/22 dns-server=1.1.1.1 gateway=11.10.10.1 add address=11.10.10.0/24 dns-server=1.1.1.1 gateway=11.10.10.1 /ip firewall filter add action=fasttrack-connection chain=forward connection-state=\ established,related hw-offload=yes add action=accept chain=forward connection-state=established,related add action=accept chain=input comment="accept established,related" \ connection-state=established,related add action=drop chain=input connection-state=invalid add action=accept chain=input comment="allow ICMP" in-interface=ether1 \ protocol=icmp add action=accept chain=input comment="allow Winbox" in-interface=ether1 \ port=8291 protocol=tcp add action=accept chain=input comment="allow SSH" in-interface=ether1 port=22 \ protocol=tcp add action=drop chain=input comment="block everything else" in-interface=\ ether1 /ip firewall nat add action=masquerade chain=srcnat out-interface=ether1
Re: Setting up web and mail server
Just to point out that you are using Public IP addresses in your LAN and doing a NAT. This should cause an issue.
You mention that your LAN is 11.10.10.0/24, while if you would like to check that private IP addresses are
I would suggest to change you LAN to one of the aforementioned ranges, Unless you have Public IP address and then there is no need for NAT/PAT.
You mention that your LAN is 11.10.10.0/24, while if you would like to check that private IP addresses are
Code: Select all
10.0.0.0 – 10.255.255.255,
172.16.0.0 – 172.31.255.255,
192.168.0.0 – 192.168.255.255Who is online
Users browsing this forum: fadelliz78, oskarsk and 19 guests